CVE-2026-53247
Received Received - Intake
Use-After-Free in MediaTek Ethernet Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53247
EUVD
EUVD-2026-39198
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc). The problem occurs because the function mtk_free_dev() calls metadata_dst_free(), which frees a metadata destination object immediately using kfree(), bypassing the required RCU (Read-Copy-Update) grace period.

In the receive (RX) path, skb_dst_set_noref() sets a non-reference-counted pointer from a socket buffer (skb) to this metadata destination. This pointer requires RCU read-side protection, meaning the metadata destination must remain valid until all RCU readers have finished accessing it.

Because metadata_dst_free() frees the memory immediately, a use-after-free can occur if any skb still holds a pointer to the freed metadata destination when the driver tears it down.

The fix replaces metadata_dst_free() with dst_release(), which properly manages the reference count and delays freeing the memory until all RCU readers have completed, preventing the use-after-free condition.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the Linux kernel, potentially causing system crashes, memory corruption, or security issues such as privilege escalation or denial of service.

If exploited, an attacker might be able to execute arbitrary code within the kernel or disrupt network functionality, impacting system stability and security.

Mitigation Strategies

The vulnerability is fixed by replacing the use of metadata_dst_free() with dst_release() in the Linux kernel's mtk_eth_soc driver. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Since the issue involves a use-after-free in the ethernet driver, immediate mitigation steps include applying the latest kernel patches or upgrading to a kernel version released after 2026-06-25 that contains this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart